Optimization and ML-based Intrusion Detection for Resilient Power Grids

Sahiti Bommareddy   Daniel Qian   Parv Saxena

Presentation (.pdf) Code (.zip) Code (Github)

Overview

Critical infrastructure should be resilient to both network and system-level attacks. Our goal was to extend the Spire intrusion tolerant SCADA system in the following three ways:

  • Optimizing performance for single site configuration
  • Building a ML-based network intrusion detection component
  • Developing attack vectors for testing
Performance optimization

With the setting of N=6 machines (f=1,k=1) in the single site configuration, each update transaction was bencmarked to have an average time of around 44ms. With minimal changes to Spire code the average transaction time is reduced to 18ms. More specific technical details can be found in the presentation.

ML Based Network Intrusion Detection

Although Spire is intrusion tolerant (i.e. potential attackers cannot execute malicious operations or significantly affect the timeliness of the system), it does not provide alerts or feedback about potential compromises. Implementing such a system to allow for situational awareness could be invaluable to system operators, allowing them to diagnose and fix problems. From previous field tests of Spire as well as our own research, we decided that using Machine Learning would be the best way to approach this problem, as it would allow for detection of novel attcks. Following is a general overview of our system:

  • Collection of Spire's normal network traffic using SPAN
  • Data pipeline that parses packets and then stores for training or predicts on them (see diagram)
  • Traffic pattern based prediction using packet counts per minute. Better at detecting larger scale attacks such as denial of service
  • Packet analysis based prediction that clusters similar individual packets. Can detect packets that are unusual with respect to normal system operation
  • Majority voting between different algorithms to reduce false positive rate

For both types of predictions, we used sklearns implementation of various novelty detection algorithms (an overview of these can be found here). More technical details can be found in the presentation.

Architecture of ML based IDS
Attack Vectors:

To test our ML models, we generated attack vectors that replicate some well known network level attacks:

  • Port Scanning
  • Denial of Service (DOS)
  • Address Resolution Protocol (ARP) Poisoning
  • Replay Attacks

To generate out testbed, we systematically varied parameters in our attack generation scripts, so that different variations of the above mentioned attacks are generated.

We ran the Spire system, and launched these attacks in parallel, to find the performance of our ML models, which is summarised in the table on right.

Packet Analysis Model Traffic Pattern Model Overall System
Accuracy 25/28(89.2%) 22/28(78.6%) 27/28(96.5%)